{"id":15646818,"url":"https://github.com/thangchung/bff-auth","last_synced_at":"2025-04-30T12:34:27.872Z","repository":{"id":49346426,"uuid":"435379164","full_name":"thangchung/bff-auth","owner":"thangchung","description":"The demonstration of modern authentication using BFF pattern and authorization enforcer using OPA","archived":false,"fork":false,"pushed_at":"2021-12-27T15:11:22.000Z","size":3902,"stargazers_count":57,"open_issues_count":4,"forks_count":5,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-04-30T12:31:46.901Z","etag":null,"topics":["authentication","bff-microservice","dotnet","golang","identityserver4","nextjs","opa","reverse-proxy","rust"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/thangchung.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-12-06T06:05:08.000Z","updated_at":"2025-04-26T21:35:37.000Z","dependencies_parsed_at":"2022-09-24T05:21:42.579Z","dependency_job_id":null,"html_url":"https://github.com/thangchung/bff-auth","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thangchung%2Fbff-auth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thangchung%2Fbff-auth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thangchung%2Fbff-auth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thangchung%2Fbff-auth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/thangchung","download_url":"https://codeload.github.com/thangchung/bff-auth/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251701868,"owners_count":21629908,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","bff-microservice","dotnet","golang","identityserver4","nextjs","opa","reverse-proxy","rust"],"created_at":"2024-10-03T12:15:10.611Z","updated_at":"2025-04-30T12:34:27.810Z","avatar_url":"https://github.com/thangchung.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Why BFF for Authentication?\n\nTODO\n\n# When to use BFF Auth with Cookies-based\n- Used: \n  - Cookies (Same site) and move the authentication to the trusted backend\n  - Use a dedicated backend for SPA now and move the security to the trusted backend\n  - Azure does not support introspection or the revocation endpoint so you cannot invalidate the tokens, or logout an Azure SPA fully. BFF removes this problem\n- Not used:\n  - High load apps or cross domain with high load\n  - In this case, please use tokens, but it has a risk of tokens to be robbed in the client-side\n\n# Get starting\n\n- Start frontend\n\n```bash\n# Start front-end\n\u003e cd frontend/bff-auth-nextjs\n\u003e yarn dev\n```\n\n- Start backend\n\n```bash\n# Start auth-server, BFF server, and sale-api\n\u003e tye run\n```\n\n- Go to `https://localhost:8080`, and start to play with it\n\n![](assets/auth_flow.gif)\n\n# High level architecture\n\n![](assets/overview.png)\n\n# Hosts and Services\n\n\u003ctable\u003e\n  \u003ctr\u003e\n    \u003ctd\u003eNo.\u003c/td\u003e\n    \u003ctd\u003eName\u003c/td\u003e\n    \u003ctd\u003eTechnical Stacks\u003c/td\u003e\n    \u003ctd\u003eURI\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003e1\u003c/td\u003e\n    \u003ctd\u003eGateway (BFF Auth)\u003c/td\u003e\n    \u003ctd\u003e.NET 6 (YARP)\u003c/td\u003e\n    \u003ctd\u003ehttps://localhost:8080\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003e2\u003c/td\u003e\n    \u003ctd\u003eDuende.IdentityServer\u003c/td\u003e\n    \u003ctd\u003e.NET 6\u003c/td\u003e\n    \u003ctd\u003ehttps://localhost:5001\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003e3\u003c/td\u003e\n    \u003ctd\u003eProduct API\u003c/td\u003e\n    \u003ctd\u003eRust (Axum, Tower, Hyper, Tokio)\u003c/td\u003e\n    \u003ctd\u003ehttp://localhost:5003\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003e4\u003c/td\u003e\n    \u003ctd\u003eSale API\u003c/td\u003e\n    \u003ctd\u003eGolang (fiber)\u003c/td\u003e\n    \u003ctd\u003ehttp://localhost:5004\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003e5\u003c/td\u003e\n    \u003ctd\u003eShip API (TODO)\u003c/td\u003e\n    \u003ctd\u003e.NET 6\u003c/td\u003e\n    \u003ctd\u003ehttp://localhost:5005\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003e5\u003c/td\u003e\n    \u003ctd\u003eWeb\u003c/td\u003e\n    \u003ctd\u003eNextjs\u003c/td\u003e\n    \u003ctd\u003ehttp://localhost:3000\u003c/td\u003e\n  \u003c/tr\u003e\n\u003c/table\u003e\n\n# References\n- RFC-8693: https://github.com/RockSolidKnowledge/TokenExchange\n- https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps-08\n- https://github.com/manfredsteyer/yarp-auth-proxy\n- https://developer.okta.com/blog/2021/01/04/offline-jwt-validation-with-go\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthangchung%2Fbff-auth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthangchung%2Fbff-auth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthangchung%2Fbff-auth/lists"}